Vegard Svanberg <vegardSVANBERG.NO>
Sent by: Incidents Mailing List <INCIDENTSSECURITYFOCUS.COM>
03/07/2001 08:47
Please respond to Vegard Svanberg

        To: INCIDENTSSECURITYFOCUS.COM
        cc:
        Subject: two machines hack through rpc.statd

<SNIP>
Here's the hostnames/IP addresses he came from:

Vogz[9590]: LOGIN ON pts/2 BY Vogz FROM cx589008-a.vista1.sdca.home.com
xinetd[8755]: START: reg pid=9614 from=63.198.203.190

In addition, I am wondering how I should handle this further, and IF
I should.. I am currently located in Europe while he is probably in the
US or something, hacking from a rooted *DSL-machine.. Any tips and
recommendations is appreciated.

</SNIP>

You are probably right that the machine in your logs is a compromised
host, but sending the details of the incident to abusehome.com would not
hurt. Home is fairly good about responding to incidents such as this and
at the very least the subscriber box that is being used to initiate the
attacks could be brought offline until such time as it has been repaired.
Make sure you reference the exact times and the timezone your logs are
maintained in when submitting your report.

A scan of the hostname you referenced produced the following output:
Port State Service
21/tcp open ftp
25/tcp open smtp
110/tcp open pop-3
119/tcp open nntp
137/tcp filtered unknown
138/tcp filtered unknown
139/tcp filtered unknown
1080/tcp open socks

Port State Service
137/udp open unknown
138/udp open unknown
139/udp open unknown

Remote operating system guess: Windows NT4

This could be erroneous depending on the DHCP lease times home uses for
their clients. from the hostname, one can only assume we are dealing with
a cable/dsl subscriber in the SanDiego, CA area (sdca.home.com).

As for tips, Just the usual "don't run rpc.statd unless necessary and
ensure you have the appropriate firewalling and ACL's in place to enhance
the security of your system" would apply.

--Tim

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]